Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
Report No. QC2021007 November 13, 2020
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019 Required by the Chief Financial Officers Act of 1990 QC2021007 | November 13, 2020
What We Looked At We contracted with the independent public accounting firm KPMG LLP to audit the Federal Aviation Administration’s (FAA) consolidated financial statements as of and for the fiscal years ended September 30, 2020, and September 30, 2019, and provide an opinion on those financial statements, to report on internal control over financial reporting, and to report on compliance with laws and other matters. The contract requires the audit to be performed in accordance with U.S. generally accepted Government auditing standards, Office of Management and Budget audit guidance, and the Government Accountability Office’s and Council of the Inspectors General on Integrity and Efficiency’s Financial Audit Manual. We performed a quality control review of KPMG’s report dated November 9, 2020, and related documentation, and inquired of its representatives.
What We Found Our quality control review disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
Recommendations FAA concurred with KPMG’s three recommendations. We agree with KPMG’s recommendations and are not making any additional recommendations.
All OIG audit reports are available on our website at www.oig.dot.gov. For inquiries about this report, please contact our Office of Government and Public Affairs at (202) 366-8751.
Contents
Memorandum 1
KPMG’s Report 2
Quality Control Review 3
Agency Comments and OIG Response 3
Actions Required 4
Exhibit. List of Acronyms 5
Attachment 1. Independent Auditor’s Report 6
Attachment 2. Agency Response 7
Attachment 3. Agency Performance and Accountability Report 8
QC2021007
U.S. DEPARTMENT OF TRANSPORTATION OFFICE OF INSPECTOR GENERAL
Memorandum
Date: November 13, 2020
Subject: ACTION: Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019 | Report No. QC2021007
From: Louis C. King Assistant Inspector General for Financial Audits
To: Federal Aviation Administrator
I respectfully submit the results of our quality control review (QCR) of the independent auditor’s report on the Federal Aviation Administration’s (FAA) audited consolidated financial statements for fiscal years 2020 and 2019.
We contracted with the independent public accounting firm KPMG LLP to audit FAA’s consolidated financial statements as of and for the fiscal years ended September 30, 2020, and September 30, 2019, and provide an opinion on those financial statements, to report on internal control over financial reporting, and to report on compliance with laws and other matters. The contract requires the audit to be performed in accordance with U.S. generally accepted Government auditing standards, Office of Management and Budget audit guidance, and the Government Accountability Office’s and Council of the Inspectors General on Integrity and Efficiency’s Financial Audit Manual.1
We appreciate the cooperation and assistance of FAA’s representatives and KPMG. If you have any questions about this report, please call me at (202) 366-1407, or George Banks, Program Director, at (202) 420-1116.
cc: The Secretary DOT Audit Liaison, M-1 FAA Audit Liaison, AAE-001
1 Financial Audit Manual, volumes 1, 2, and 3, GAO-18-601G and GAO-18-625G, updated April 2020; GAO-18-626G, June 2018. QC2021007 1
KPMG’s Report
In its audit of FAA’s consolidated financial statements for fiscal years 2020 and 2019, KPMG reported that
• FAA’s consolidated financial statements2 were fairly presented, in all material respects, in accordance with U.S. generally accepted accounting principles;
• it found one significant deficiency3 in internal control over financial reporting that it did not consider to be a material weaknesses;4 and
• there were no instances of reportable noncompliance with provisions of laws tested or other matters.
KPMG made three recommendations to address the significant deficiency in internal control over financial reporting (see attachment 1).
Significant Deficiency
Weaknesses in general information technology controls. KPMG identified general information technology control deficiencies at the application, database, and/or operating system levels related to audit log review and access controls for FAA’s general ledger, timekeeping, inventory, procurement, and environmental systems. More specifically, controls were not operating effectively over
• the review of audit logs, including documentation to evidence appropriate and timely completion of the review; or
• system access, including privileged account reviews, new user authorizations, and periodic review and recertification of access.
2 The consolidated financial statements are included in FAA’s Performance and Accountability Report (see attachment 3). 3 A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. 4 A material weakness is a deficiency, or a combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. QC2021007 2
In addition, KPMG determined FAA management did not implement component- specific security plan requirements for certain systems that are used to compile FAA’s financial statements.
Recommendations
To help strengthen FAA’s general information technology controls, KPMG recommended that FAA management:
1. Design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policies;
2. Design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policies; and
3. Implement component-specific system security plan requirements.
Quality Control Review
We performed a QCR of KPMG’s report, dated November 9, 2020, and related documentation, and inquired of its representatives. Our review, as differentiated from an audit of the financial statements in accordance with U.S. generally accepted Government auditing standards, was not intended to enable us to express, and we do not express, an opinion on FAA’s consolidated financial statements or conclusions about the effectiveness of internal control over financial reporting, or compliance with laws and other matters. KPMG is responsible for its report and the conclusions expressed therein.
Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
Agency Comments and OIG Response
KPMG provided FAA with its draft report on November 4, 2020, and received FAA’s response, dated November 9, 2020 (see attachment 2). FAA agreed with the significant deficiency KPMG found.
FAA concurred with KPMG’s three recommendations and committed to developing a corrective action plan to address the significant deficiency by December 31, 2020. We
QC2021007 3
agree with KPMG’s recommendations and are not making any additional recommendations.
Actions Required
We consider all three of KPMG’s recommendations open and unresolved pending receipt of the corrective action plan.
QC2021007 4
Exhibit. List of Acronyms
DOT Department of Transportation FAA Federal Aviation Administration OIG Office of Inspector General QCR quality control review
Exhibit. List of Acronyms 5
Attachment 1. Independent Auditor’s Report
Attachment 1. Independent Auditor’s Report 6
KPMG LLP Suite 12000 1801 K Street, NW Washington, DC 20006
Independent Auditors’ Report
Administrator, Federal Aviation Administration and Inspector General U.S. Department of Transportation, Federal Aviation Administration:
Report on the Financial Statements We have audited the accompanying consolidated financial statements of the U.S. Department of Transportation (the Department), Federal Aviation Administration (FAA), which comprise the consolidated balance sheets as of September 30, 2020 and 2019, and the related consolidated statements of net cost, and changes in net position, and combined statements of budgetary resources for the years then ended, and the related notes to the consolidated financial statements.
Management’s Responsibility for the Financial Statements Management is responsible for the preparation and fair presentation of these consolidated financial statements in accordance with U.S. generally accepted accounting principles; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of consolidated financial statements that are free from material misstatement, whether due to fraud or error.
Auditors’ Responsibility Our responsibility is to express an opinion on these consolidated financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America, in accordance with the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States, and in accordance with Office of Management and Budget (OMB) Bulletin No. 19-03, Audit Requirements for Federal Financial Statements. Those standards and OMB Bulletin No. 19-03 require that we plan and perform the audit to obtain reasonable assurance about whether the consolidated financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the consolidated financial statements. The procedures selected depend on the auditors’ judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.
Opinion In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the U.S. Department of Transportation, Federal Aviation Administration as of September 30, 2020 and 2019, and its net costs, changes in net position, and budgetary resources for the years then ended in accordance with U.S. generally accepted accounting principles.
KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. Other Matters Interactive Data Management has elected to reference to information on websites or other forms of interactive data outside the Performance and Accountability Report to provide additional information for the users of its financial statements. Such information is not a required part of the basic consolidated financial statements or supplementary information required by the Federal Accounting Standards Advisory Board. The information on these websites or the other interactive data has not been subjected to any of our auditing procedures, and accordingly we do not express an opinion or provide any assurance on it.
Required Supplementary Information U.S. generally accepted accounting principles require that the information in the Management’s Discussion and Analysis and Required Supplementary Information sections be presented to supplement the basic consolidated financial statements. Such information, although not a part of the basic consolidated financial statements, is required by the Federal Accounting Standards Advisory Board who considers it to be an essential part of financial reporting for placing the basic consolidated financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the basic consolidated financial statements, and other knowledge we obtained during our audits of the basic consolidated financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance.
Other Information Our audits were conducted for the purpose of forming an opinion on the basic consolidated financial statements as a whole. The In a Day’s Work, Foreword, Messages from the Administrator and the Chief Financial Officer, Performance Results and Other Information sections, as listed in the Table of Contents of the Performance and Accountability Report, is presented for purposes of additional analysis and is not a required part of the basic consolidated financial statements. Such information has not been subjected to the auditing procedures applied in the audits of the basic consolidated financial statements, and accordingly, we do not express an opinion or provide any assurance on it.
Other Reporting Required by Government Auditing Standards Internal Control over Financial Reporting In planning and performing our audit of the consolidated financial statements as of and for the year ended September 30, 2020, we considered the FAA’s internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the consolidated financial statements, but not for the purpose of expressing an opinion on the effectiveness of the FAA’s internal control. Accordingly, we do not express an opinion on the effectiveness of the FAA’s internal control. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982.
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
2 Our consideration of internal control was for the limited purpose described in the first paragraph of this section and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may exist that have not been identified. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. We did identify certain deficiencies in internal control, described in the accompanying Exhibit I as item 2020-1, that we consider to be a significant deficiency.
Compliance and Other Matters As part of obtaining reasonable assurance about whether the FAA’s consolidated financial statements as of and for the year ended September 30, 2020 are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the financial statements. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of noncompliance or other matters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 19-03.
FAA’s Response(s) to Findings The FAA’s response to the findings identified in our audit is described in the section titled Management’s Response to the Independent Auditor’s Report. The FAA’s response was not subjected to the auditing procedures applied in the audit of the consolidated financial statements and, accordingly, we express no opinion on the response.
Purpose of the Other Reporting Required by Government Auditing Standards The purpose of the communication described in the Other Reporting Required by Government Auditing Standards section is solely to describe the scope of our testing of internal control and compliance and the results of that testing, and not to provide an opinion on the effectiveness of the FAA’s internal control or compliance. Accordingly, this communication is not suitable for any other purpose.
Washington, DC November 9, 2020
3
Federal Aviation Administration Independent Auditors’ Report EXHIBIT I Internal Control Over Financial Reporting SIGNIFICANT DEFICIENCY
2020 - 01: Weaknesses in General Information Technology Controls
Background The Federal Aviation Administration (FAA) utilizes various information technology systems to carry out its mission and to compile amounts recorded in its financial statements. In addition to its general ledger system, FAA utilizes various information technology systems including; a timekeeping system to record employee time and attendance, an inventory system related to asset management and inventory control, a procurement system to record and track requisitions, purchase orders, and contracts, and a site management system that tracks the environmental investigation, remediation, and regulatory closure status of the FAA’s environmental sites.
The general ledger system and the timekeeping system are owned by the Department of Transportation (the Department). All other systems are owned by the FAA.
For systems owned by FAA, FAA is required to implement controls defined in the component-specific system security plans for those areas not addressed in the Departmental system security plan. For systems owned by the Department, the Department is required to implement certain component-specific system security plans for those areas not addressed in the Departmental system security plan.
Criteria The U.S. General Accountability Office (GAO) Standards for Internal Control in the Federal Government (Green Book), sets the standards for an effective internal control system and provides an overall framework for designing, implementing, and operating effective internal control systems. The standards require entities to design appropriate types of control activities to include limiting access to resources and records to authorized individuals, and to periodically compare resources with the recorded accountability to help reduce the risk of errors, fraud, misuse, or unauthorized alteration. In addition, management should communicate quality information down and across reporting lines to enable personnel to perform key roles in achieving objectives, addressing risks, and supporting the internal control system. In these communications, management assigns the internal control responsibilities for key roles.
Condition Control deficiencies exist at the application, database, and/or operating system levels related to audit log review and access controls for the systems mentioned above and as listed below:
• Controls were not operating effectively over the review of audit logs, including documentation to evidence appropriate and timely completion of the review.
• Controls were not operating effectively over system access, including privileged account reviews, new user authorizations, and periodic review and recertification of access.
In addition, management did not implement component-specific security plan requirements for certain systems that are used to compile FAA’s financial statements.
Cause Management has not defined, or consistently implemented procedures to ensure compliance with standards for effective internal control systems and/or internal policies. Effect The absence of timely reviews of audit logs leaves the FAA exposed to the risk of delays in identifying and responding to incidents which could result in the exposure, modification, or loss of system data. Further, user accounts with inappropriate access may result in unauthorized use, disclosure, or modification of system data. Lastly, weaknesses in security management controls increase the risk that systems are vulnerable to security threats and incidents which may compromise the confidentiality, availability and integrity of data.
Recommendations We recommend that FAA management:
1. Design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policies.
2. Design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policies.
3. Implement component-specific system security plan requirements.
Attachment 2. Agency Response
Attachment 2. Agency Response 7
Office of Financial Services 800 Independence Ave. S.W. Washington, DC 20591
November 9, 2020
Ms. Hannah Padilla KPMG LLP 1801 K Street, NW, Suite 1200 Washington, DC 20006
Dear Ms. Padilla,
We have received your Independent Auditors’ Report related to the Federal Aviation Administration's fiscal years 2020 and 2019 consolidated financial statements and offer the following response.
We appreciate working with you in support of an efficient and effective audit and are pleased to receive an unmodified audit result. The audit is an essential part of our fiscal responsibilities to our citizens and we take it very seriously.
We concur with the finding in your report. We will develop a corrective action plan to address this weakness and provide it to the Office of Inspector General by December 31, 2020. The corrective actions will include designing and implementing procedures to consistently and timely perform and document audit log and user account access reviews, and implementing component-specific system security plan requirements. I will monitor implementation of the plan throughout the corrective action process.
Thank you for your candor and the professional manner in which you and your team conducted your audit.
Sincerely,
David Rickard Chief Financial Officer
Attachment 3. Agency Performance and Accountability Report
Attachment 3. Agency Performance and Accountability Report 8
Fiscal Year
FAAFederal Aviation AdministrationPAR Performance and 2020Accountability Report Mission Vision Values
OUR MISSION
To provide the safest, most efficient aerospace system in the world.
OUR VISION
We strive to reach the next level of safety and efficiency and to demonstrate global leadership in how we safely integrate new users and technologies into our aviation system. We are accountable to the American public and our aviation stakeholders.
OUR VALUES
Safety Is Our Passion We work so that all air and space travelers arrive safely at their destinations.
Excellence Is Our Promise We seek results that embody professionalism, transparency, and accountability.
Integrity Is Our Touchstone We perform our duties honestly, with moral soundness, and with the highest level of ethics.
People Are Our Strength Our success depends on the respect, diversity, collaboration, and commitment of our workforce.
Innovation Is Our Signature We foster creativity and vision to provide solutions beyond today’s boundaries.
Above: Passengers at Hartsfield-Jackson Atlanta International Airport in Atlanta, GA. Photo by Joel Carillet/iStock. Cover photo: Social distancing floor stickers greet passengers waiting to check in at Hartsfield-Jackson Atlanta International Airport. Photo by Erik S. Lesser/EPA-EFE/Shutterstock. Table of Contents*
2 Foreword 136 OTHER INFORMATION 3 In a Day’s Work 137 Summary of Financial Statement Audit and 4 A Message from the Administrator Management Assurances 138 Payment Integrity 8 MANAGEMENT’S DISCUSSION AND 139 Fraud Reduction Report ANALYSIS 139 Real Property 9 History of Modern Aviation and the Creation of 140 Civil Monetary Penalty Inflation Adjustments the FAA 142 Grants Programs 10 FAA Organization 143 Administrative Services Franchise Fund 12 FAA in Action: COVID-19 Public Health Emergency 148 Summary of Inspector General’s Top 14 Major Accomplishments Management and Performance Challenges 21 Ongoing Challenges 169 List of Acronyms and Abbreviations 22 Performance Highlights 25 Performance at a Glance THE FAA CENTERS 28 Alignment of FAA Costs and Strategic Goals 19 The FAA William J. Hughes Technical Center 29 Financial Highlights 20 Mike Monroney Aeronautical Center 35 Budgetary Integrity: FAA Resources and How They Are Used CROSSCHECK YOUR KNOWLEDGE 38 Management Control Highlights 24 Expanding the FAA’s Firefighting Research 39 Management Assurances Capability 40 Financial Management Systems Strategy and 34 Maintaining Airport Safety During COVID-19: How Actions the FAA Helped Accommodate Thousands of Idled Aircraft 42 PERFORMANCE RESULTS 37 Improved Stakeholder Engagement—Online! 43 Performance Measures Overview 41 FAA Challenges Students to Build Virtual Airports 70 Quality Assurance of Performance Data 50 Preserving Airports During the Public Health Emergency: CARES Act Airport Grants 74 Quality Financial Management 73 FAA Administrator Completes Boeing 737 MAX Flight 80 FINANCIAL RESULTS 81 A Message from the Chief Financial Officer WE WELCOME YOUR COMMENTS 82 Office of the Inspector General (OIG) Quality (inside back cover) Control Review 87 Independent Auditors’ Report 92 Management’s Response to the FY 2020 THIS REPORT AND REPORTS FROM PRIOR YEARS Independent Auditors’ Report ARE AVAILABLE ON THE FAA WEBSITE 93 Financial Statements 97 Notes to the Financial Statements 131 Required Supplementary Information
* All sections of this document are unaudited, with the exception of the Financial Statements and the Notes to the Financial Statements (pages 93–130). 2019 2018 2017 2016 2020 www.faa.gov/about/plans_reports/#performance Foreword The Federal Aviation Administration (FAA) is part of the U.S. Department of Transportation (DOT). By directives, the Office of Management and Budget, with statutory authority from the Chief Financial Officers Act of 1990, requires the FAA to prepare financial statements separate from those of the DOT. The FAA consolidates its key data and information and provides it to the DOT to incorporate into their corresponding reports. Although the FAA is not required to prepare a separate Agency Financial Report or Performance and Accountability Report (PAR), it does so to better demonstrate the agency’s accountability by presenting performance, management, and financial information using the same statutory and guidance framework as that used by the DOT. For this reason, the FAA has produced its own PAR since fiscal year (FY) 2002.
The success of our financial stewardship is due to the diligent efforts of our employees who practice sound fiscal policies in supporting our mission, programs, and systems. We thank our people for their dedication and commitment to our mission and their transparent reporting of the important work of the agency.
The FAA is committed to providing the safest, most efficient aerospace system in the world, and fulfilling its mission in a fiscally responsible and transparent manner. This commitment is ongoing and the FAA is proud of the recognition we have received over the years for transparent reporting of our performance and accountability. The Certificate of Excellence in Accountability Reporting (CEAR) award program was established by the Association of Government Accountants in collaboration with the Chief Financial Officers Council and the Office of Management and Budget to improve government accountability by streamlining reporting and improving the effectiveness of reports. The FAA has received the prestigious CEAR award 16 of the last 17 years. Receiving the CEAR award is a significant accomplishment for a federal agency. We are also extremely honored to have been recognized seven times with special “best in class” awards for elements of our PAR that were considered to be the best across all of government. Also, for the first time in CEAR history, this year's awards program included a CEAR with Value-Added Distinction Award. This is the “Academy Award” VISIT US FROM of government financial and performance reporting YOUR awarded to one agency for highlighting, in their MOBILE DEVICE FY 2019 PAR, how financial management excellence M.FAA.GOV adds value to an agency’s management and delivery of its mission. FAA is extremely proud to be the first recipient of this inaugural award.
2 FISCAL YEAR 2020 FAA PERFORMANCE AND ACCOUNTABILITY REPORT In a Day’s Work
TOTAL EMPLOYEES 45,132 As of September 30, 2020 1,392 3,089 WI I I I I A I CI , NJ O CI O
36,628 I D I D I 4,023 D W I , DC